doing some googling, i came across this: issues resolving DNSSEC queries with cloudflared as upstream · Issue #1263 · pi-hole/FTL · GitHub
not sure how much it relates or not yet
however, i used it to mimic some of the dig options
below are ran in the same order with the options, however the first is via cloudflared service, and the second via pihole (cloudflared service as upstream)
CloudFlared Service - quad9 upstream
pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34985
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dbe6b027cf9b1e64 (echoed)
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 300 IN A 128.31.0.62
debian.org. 300 IN A 130.89.148.77
debian.org. 300 IN A 149.20.4.15
;; Query time: 68 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:10 EDT 2022
;; MSG SIZE rcvd: 129
pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +dnssec debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28648
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ee0434c575ceecdb (echoed)
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 295 IN A 128.31.0.62
debian.org. 295 IN A 130.89.148.77
debian.org. 295 IN A 149.20.4.15
debian.org. 295 IN RRSIG A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO
;; Query time: 4 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:16 EDT 2022
;; MSG SIZE rcvd: 373
pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +notcp +ignore debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3078
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7768d02997dd6ba6 (echoed)
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 287 IN A 128.31.0.62
debian.org. 287 IN A 130.89.148.77
debian.org. 287 IN A 149.20.4.15
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:24 EDT 2022
;; MSG SIZE rcvd: 129
pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +tcp +ignore debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1b44a07d91b4e4fc (echoed)
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 281 IN A 128.31.0.62
debian.org. 281 IN A 130.89.148.77
debian.org. 281 IN A 149.20.4.15
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:30 EDT 2022
;; MSG SIZE rcvd: 129
pi@raspbian-5:~ $
Pihole Service
pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 debian.org
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 34399c138967f75c (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:43 EDT 2022
;; MSG SIZE rcvd: 57
pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +dnssec debian.org
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 92a4693e6eaf3151 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:49 EDT 2022
;; MSG SIZE rcvd: 57
pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +notcp +ignore debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14684
;; flags: qr aa tc rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a2a117bd47db42d6 (echoed)
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 195 IN A 128.31.0.62
debian.org. 195 IN A 130.89.148.77
debian.org. 195 IN A 149.20.4.15
;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:56 EDT 2022
;; MSG SIZE rcvd: 129
pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +tcp +ignore debian.org
; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52800
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0076f55e87f856b4 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:53:06 EDT 2022
;; MSG SIZE rcvd: 57
pi@raspbian-5:~ $